On Windows, if the app is configured to access files from a remote network, an attacker on the local network could cause the app to access a malicious file (e.g. a virus or a trojan horse) in the remote network. This type of attack is known as 'link following'. In order to exploit this issue, the attacker needs to set up a 'malicious' or 'poisoned' IP address on the local network interface of the victim's system. Then, the attacker needs to launch a specially crafted URL to the victim's system. The victim's system will then try to access the URL, and if the URL is 'poisoned' then the system will try to access the file on the attacker's system. If the attacker has set up a specially crafted IP address on the local network interface of the victim's system, then the victim's system will try to access the file on the attacker's system. In this case, the attacker sets up a 'malicious' or 'poisoned' IP address. As mentioned, the attacker can try to launch a specially crafted URL to the victim's system. For example, the attacker could launch a URL such as the following: http://192.168.1.1/script>/script> When the victim's system tries to access the URL above, the system will try to access the file on the attacker's system. Therefore, an attacker can launch a specially crafted URL
Microsoft Windows CVE-2022-0018
On Windows, if the app is configured to access files from a remote network, an attacker on the local network could cause the app to access a malicious file (e.g. a virus or a trojan horse) in the remote network. This type of attack is known as 'link following'. In order to exploit this issue, the attacker needs to set up a 'malicious' or 'poisoned' IP address on the local network interface of the victim's system. Then, the attacker needs to launch a specially crafted URL to the victim's system. The victim's system will then try to access the URL, and if the URL is 'poisoned' then the system will try to access the file on the attacker's system. If the attacker has set up a specially crafted IP address on
Scenario 3: A remote code execution vulnerability exists in the app's web server .
In scenario 3, a remote code execution vulnerability exists in the app's web server. The app allows an attacker to upload a malicious file (e.g. a virus or a trojan horse) to the remote web server and then execute it. This type of attack is known as 'server-side request forgery'. To exploit this issue, the attacker needs to set up a 'malicious' or 'poisoned' IP address on the local network interface of the victim's system. Then, the attacker needs to launch a specially crafted URL to the victim's system. The victim's system will then try to access the URL, and if the URL is 'poisoned' then the system will try to access and execute the file on the attacker's system. In this case, the attacker sets up a 'malicious' or 'poisoned' IP address on their local network interface of the victim's system. As mentioned, the attacker can try to launch a specially crafted URL to the victim's system. For example, an attacker could launch a URL such as one of these: http://192.168.1.1/script>/script> http://192.168.1.1:8080/Script>/Script>
Exploit proof of concept code
It should be noted that this exploit is not able to execute arbitrary code, but it will cause the victim's system to access a file on the attacker's system.
Below, I have included code that could be used as an exploit proof of concept.
The exploit proof of concept below will launch a URL (http://192.168.1.1/script>/script>), and if the URL is 'poisoned' then the victim's system will try to access the file on the attacker's system. This can potentially lead to remote code execution if one of those files happens to be a malicious executable payload that is waiting for a connection from a vulnerable device, like in RDP or SSH.
Timeline
Published on: 02/10/2022 18:15:00 UTC
Last modified on: 02/17/2022 14:14:00 UTC